And ahci_port_write(AHCI_PORT_REG_CMD) doesn't check ahci_cond_start_engines() return value, calling ahci_init_d2h() even if former failed.
-- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1911075 Title: [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines Status in QEMU: Confirmed Bug description: === Reproducer === while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest outl 0xcf8 0x8000fa27 outl 0xcfc 0x37414537 outl 0xcf8 0x8000fa01 outl 0xcfc 0x4606ce74 writew 0x37000f01 0x215a writeq 0x37000100 0xfffaf writeq 0x37000115 0xffff373d27004037 outl 0xcf8 0x8000fa01 outl 0xcfc 0x4606ce74 writeq 0x370000ff 0x3700011500 writeq 0x37000115 0xc41ffffff035a5a outl 0xcf8 0x8000ea04 outb 0xcfc 0x15 outl 0xcf8 0x8000ea00 outw 0xcfc 0x5a1f writeq 0x37000115 0x100007765746972 writeq 0x37000115 0xbf00000000000000 outl 0xcf8 0x8000ea04 outb 0xcfc 0x15 outl 0xcf8 0x8000fa46 outb 0xcfc 0xff clock_step writeq 0x37000115 0xaf writeq 0x37000115 0x6301275541af7415 writeq 0x37000115 0xafaf5a5a743715 outb 0x64 0xfe EOF === Stack Trace === ==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446) #0 vfprintf #1 fprintf #2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9 #3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #7 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #8 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9 #10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5 #11 map_page /src/qemu/hw/ide/ahci.c:249:9 #12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5 #13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14 #14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9 #15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9 #16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #20 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #21 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9 #23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5 #24 map_page /src/qemu/hw/ide/ahci.c:249:9 #25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5 #26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14 #27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9 #28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9 ... Repeat until we run out of stack To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1911075/+subscriptions
